Hacking Exposed 7 Network Security Secrets & Solutions

Hacking Exposed 7
Network Security Secrets & Solutions
Chapter 4 Hacking Windows
Hacking Windows
• Unauthenticated attacks
• Authenticated attacks
• Windows security features
• Vulnerabilities
– Trivially exploited configuration vulnerabilities
• NetBIOS null sessions, simple IIS buffer overflow
– More complex ones
• Heap exploits, end user attack through Internet Explorer
• Areas of focus
– Network services, kernel drivers, applications
• Factors of risk: popularity and complexity
– Popular Windows vulnerabilities: Code Red, Nimda,
Slammer, Blaster, Netsky, Gimmiv, etc.
– NT 3.51  Windows 7: tenfold in code size
• New security-related features
– Reduced default network services, host firewall enabled by
default, user account control (UAC), etc.
Unauthenticated Attacks
Authenticated Spoofing
• Remote password guessing
– Main targets: Server Message Block (SMB) on TCP 445
and 139, Microsoft Remote Procedure Call (MSRPC)
on TCP 135, Terminal Services (TS) on TCP 3389, SQL
on TCP 1433 and UDP 1434, SharePoint (SP) over HTTP
on TCP 80 and HTTPS on TCP 443, etc.
– Automatic guessing on CLI: FOR and net use with
username/password file (see virus/org/defaultpassword), enum, Brutus, THC Hydra, Venom
– Automatic guessing on GUI of Terminal
Services/Remote Desktop Services: TSGrinder,
Rdesktop after patch with brute-force capabilities
Unauthenticated Attacks
Password-Guessing Countermeasures
• Network firewall to restrict access to
potentially vulnerable services/ports
• Host “Windows Firewall”
• Disable unnecessary services
• Enforce strong password policy
• Set an account-lockout threshold
• Log and analyze account logon failures
– Dumpel, DumpEvt, Event Comb, ELM Log Manager
Unauthenticated Attacks
Eavesdropping on Network Password Exchange
• Three authentication protocols: LM (LAN
Manager) (with hash), NTLM (with RC4
encryption), Kerberos (with private or optional
public key encryption)
• Attack tools: Cain, LCP, L0phtcrack, KerbSniff
– Sniffing, brute-force cracking, dictionary cracking,
Rainbow cracking (from a valid account)
– To sniff on a switched network: ARP
spoofing/poisoning to redirect traffic through
Unauthenticated Attacks
Windows Authentication Sniffing Countermeasures
• Disable LM authentication
• Pick good passwords (password complexity
• No dictionary password
• Use public key encryption
• Use built-in Windows IPsec to authenticate
and encrypt traffic
Unauthenticated Attacks
Man-in-the-Middle Attacks (MITM)
• Relay legitimate client authentication exchange and
gain access to the server as the client
• SMBRelay: Harvest usernames and password hashes
from SMB traffic and import into cracking tools
• ARP spoofing and DNS redirection: force victims to
connect and authenticate to malicious SMB servers
• Tools: Cain, Squirtle, SMBRelay3
– Cain: redirect local traffic to itself with ARP spoofing, then
downgrade clients to easier authentication dialects
(sniffed, unencrypted, recorded)
• MITM countermeasures
– Authenticate and encrypt connections between clients and
• IPsec in Windows Firewall
– Disable NetBIOS Name Services
Unauthenticated Attacks
• Use LM and/or NTLM hash of a user’s password
– No need to crack/brute-force the hash to cleartext
– Replay to gain to gain authorized access
– Limitations: Not all functionalities of the protocol are
– Dump/modify NTLM credentials stored in memory
and replay
• Windows Credentials Editor (WCE)
• Pass the ticket for Kerberos
– WCE: dump Windows Kerberos tickets and reuse them
Unauthenticated Attacks
Remote Unauthenticated Exploits
• Flaws or misconfigurations in Windows software
– TCP/UDP services  driver interface, user-mode
applications (MS Office, Internet Explorer, Adobe
Acrobat Reader)
• Metaexploit
– Framework plus archive of exploit modules
– Locate/search the exploit module
– Customize exploit parameters (vendor and model of
victim software), payloads (remote command shell,
users, injecting prebuilt code), and options (target IP
address, IDS evasion, etc.)
• Network service exploit countermeasures
– Patch, available workaround, log and respond
Unauthenticated Attacks
End-User Application Exploits
• End users
– Less professional on security
– Poorly managed rich software ecosystem
• Adobe Flash Player in browser
– Display of rich media and animated content over
– Metaexploit (search /w adobe flash)
• Countermeasures
– Personal firewall, network firewall, patch, antivirus,
Internet options in control panel, least privilege, read
email in plaintext, configure to very high macro
security, don’t be gullible, secure devices physically
Unauthenticated Attacks
Device Driver Exploits
• Windows wireless: within physical proximity to a
rogue access point beaconing malicious packets
• Plug and play (compatibility)
– Vast sea of drivers
• Execution in highly privileged kernel mode 
total compromise
• Metaexploit exploit modules: e.g. oversized
wireless beacon frame  remote code execution
• Countermeasures
– Patch, turn-off at high concentration of APs, driver
signing (trusted signatures on kernel-mode software),
User-Mode Driver Framework (UMDF)
Authenticated Attacks
Privilege escalation
• Privilege escalation
– From a user account to admin/system privilege
• Getadmin family of exploits – DLL injection
– Interactively logged-on accounts from escalating privileges
– From Administrator to SYSTEM privilege
• at (Windows Scheduler service) or psexec (remotely)
• Preventing privilege escalation
– Patch your Windows
– Restrict interactive logon privileges
• Run Security Policy applet  Local Policies  User
Right Assignment  Deny log on locally
Authenticated Attacks
Extracting Passwords
• Extracting and cracking passwords
– From administrator, post-exploit activities:
• Gather more usernames and passwords
• Disable Windows firewall
• Grabbing password hashes
– Stored in Windows Security Accounts Manager (SAM)
for local users, Active Directory on Windows 2000 and
domain controllers (DCs) for domain accounts
– pwdump/pwdump2-6, fgdump, and automated
remote hash extraction (LSA cache dumping,
protected store enumeration)
• use DLL injection to insert themselves into a privileged
running process to extract password hashes
– pwdump countermeasures: no defense if /w admin
and DLL injection
Authenticated Attacks
Cracking passwords
• Hashing – one-way encipherment
• Offline password guessing
– Hashing algorithm  hash for a list of possible values (e.g. dictionary) 
compare with hashed password from pwdump  matched means
– Account lockout is not an issue
• Weak hash algorithm
– Stronger hashing vs. salting (random value to prevent precomputed hash
tables, rainbow tables, that speedup cracking)
• Smart guessing
– Dictionary, brute-force, precomputed hash tables
– Project Rainbow Crack: precomputed LM hash table for $120 with 24GB
in 6 DVDs
• Tools
– CLI: John The Ripper Jumbo
– GUI: LCP, Cain (dictionary, brute-force, LM/NTLM hashes, sniffed, rainbow
tables), Ophcrack, L0phtcrack, Elcomsoft
• Processing time
– Entropy ~ unpredictability
Authenticated Attacks
Dumping Cached Passwords
• Dumping cached passwords
– Local Security Authority (LSA) Secrets cache
• Service account passwords in plaintext, cached password hashes
of the last ten logon users, FTP/Web user plaintext passwords,
remote access services (RAS) dial-up accounts and passwords, etc.
• LSADump2 (~pwdump2 with DLL injection): finds PID of LSASS,
injects itself, grabs LSA Secrets
• Cain (with built-in LSA Secrets extractor), gsecdump
• CacheDump, MS-Cache Hashes, WCE
• Password cache dumping countermeasures
– LSA hotfix /w encryption: but circumvented by lsadump2
by DLL injection
– Avoid getting admin-ed in the first place
– Change the Registry value
Authenticated Attacks
Dumping Hashes Stored in Memory
• Dumping hashes stored in memory
– Windows Credentials Editor (WCE)
– In memory: usernames, domain names, password
hashes of users logon interactively, locally or remotely
• Cached credentials
• Dumping hashes stored in memory
– No silver bullet
– Keep the security of ALL members
• Compromised server  compromised domain
– Avoid RDP to unknown systems
– Avoid granting admin privileges
Authenticated Attacks
Remote Control and Back Doors
• Back doors: services enabling remote control
• Command-line remote control tools
– netcat/nc (TCP/IP Swiss army knife)
• Configured to listen on a port and launch an executable when
– psexec (SMB on TCP 139 or 445) and at
– Metaexploit Framework: a large array of backdoor
payloads to spawn command-line shells bound to listening
ports, etc.
• Graphical remote control tools
– Terminal Services on TCP 3389
– Virtual Network Control (VNC)
Authenticated Attacks
Port Redirection
• Fpipe
– A TCP source port forwarder/redirector
– A compromised system running a telnet server
behind a firewall that blocks port 23 (telnet) but
allow port 53 (DNS)
• Fpipe started with a listening server port 53 and
redirected to port 23
• Stream forced by Fpipe to use source port 53 to pass
the firewall
Authenticated Attacks
Covering Tracks
• Disabling auditing
– auditpol
• Clearing event log
– elsave
• Hiding files
– attrib
– Alternate Data Streams (ADS)
• Rootkits
– Post-exploit kits after gaining the root privilege
General Countermeasures to
Authenticated Compromise
• Filenames
– Look for suspicious or hidden file names
– Use antimalware software
• Registry keys
– Look for rogue registry keys (most applications look for specific
values in specific locations)
– reg delete to remove them
• Processes
– Malicious process with CPU utilization
– kill to stop
– Check scheduler queue: at, schtasks, task scheduler
• Ports
– Identify renamed netcat listener (back door): netstat -an
Windows Security Features (1/3)
• Windows Firewall
– “Exception” metaphor for permitted applications
– All inbound connections are blocked by default
• Automated Updates
• Security Center
– For consumers, not IT pros
• Security Policy and Group Policy
– For stand-alone computer and large number of systems
• Microsoft Security Essentials
– Antimalware: real-time protection, system scanning and
cleaning, rootkit protection, network inspection, automatic
• The Enhanced Mitigation Experience Toolkit
– Managing mitigation technologies in Windows: DEP (Data
Execution Prevention), ASLR (Address Space Layout
Windows Security Features (2/3)
• Bitlocker and encryption file system
– EFS (Encryption File System)
• Symmetric key itself encrypted by public key of a user and
stored as an attribute of the file; symmetric key decrypted
by a private key first before decrypting the file
– BDE (Bitlock Drive Encryption)
• Encrypt the entire volumes and store the key securely
• Cold boot attack: cool DRAM chips to increase the time
before the key is flushed from volatile memory
• Countermeasures: separate the key physically, removable
external module
• Windows Resource Protection (WRP)
– Protect files and registry values from modifications by
• Integrity levels
– Mandatory Integrity Control (MIC): actions - privileges
Windows Security Features (3/3)
• Data Execution Protection (DEP)
– Mark portions of memory nonexecutable to
prevent buffer overflow attacks
• Windows service hardening
– Service resource isolation, least privilege services,
service refactoring, restricted network access,
session 0 isolation
• Compiler-based enhancements
– Compile-time under-the-hood features, not
configurable by admins or users: buffer security
check (GS), ASLR, SafeSEH
Center for Internet Security (CIS): free Microsoft security
configuration benchmarks and scoring tools at www.cisecurity.org
Another book – Hacking Exposed Windows
New Microsoft security tools and best practices at
Don’t forget exposures from other Microsoft products, e.g. SQL
Applications are far more vulnerable than OS
Hacking Exposed Web Applications
Minimization equals higher security
Disable file, print, and other unnecessary services
Use Windows Firewall
Protect Internet-facing servers
Keep up to date service packs and security patches
Limit interactive logon privileges and escalation
Use Group Policy to create and distribute configurations
Enforce physical security against offline attacks
Subscribe to security publications and online resources

similar documents